⚠️ Moving Domain Registrar

This post is a little out of the blue, however, Google Domains appears to be selling all their domains to Squarespace domains, therefore, if you’re currently using Google, it will be automatically moved over at some point in the future.

Preface/background first and technical moving at the bottom, need to set the scene ⬇️⬇️⬇️ 

Questions, Yes many!!

Yes, I had lots of questions stuff like are they any good, what features do you get with and you Squarespace registrar, how good is the customer services or for that matter technical support when stuff goes wrong?

Support Options 🛟

this was the one that shocked me the most, since I moved Google Domains I’ve really had no reason to contact support services a Park for when their website didn’t work as expected, but I’ve got run this by being able to import zones as BIND files, however, the customer support for Google Domains is bad, very bad, according to sites like Trustpilot - which also shocked me that the other Provide that I was looking to move with also got equally bad reviews, but surely you only need to worry about technical services when things go wrong right?

Well, on my mission to find out what features I would get with my new provider I found many things I really really didn’t like, there is no way to move the main over early so I thought I’d buy a domain to see what my options were…..

Squarespace the truth 🧚‍♀️ 

 yes, the website make the transition look fantastic but unfortunately you have very little control of your domain when you moved to this particular registrar, first of all, it’s potluck who will actually own your domains, in the demo domain, I purchased I got to Tucows

then you get onto the feature set or options you can configure, there is no email management, so that goes over your options to do email forwarded mailboxes, however, they are linked up with Google workspace so if you’d like a full blown Google workspace e-mail that starts at £5.90 per User per month.

DNS management was very weak, no option for DNSSEC, the records you are allowed to create a very minimal compared to other providers, and the website was full of suggestions about why you should buy a squarespace website….

Moving right along to websites, if you did not want to do a web forwarding address, you essentially had to use the squarespace product or other partnered services to redirect your website, quite disappointing here, the website made it look like it was a very clean and feature rich management portal, it’s not it’s very very basic.

if you’re about basic settings because you don’t really want to get involved in all the technical DNS management then I’m sure it will be absolutely fine, but if someone does want to possibly make the domain secure, and have extra security features, it’s really not that great.

Calculating Options 👨‍💻

Do you have quite a few places that can manage your domain, so the usual ones popped into my head:

Namescheap
Cloudflare
Domain.com
Hover
Gandi
Uniregistry

What should I do? 🐏

Namescheap for a fantastic website that’s very manageable, however, if you’re just interested in email, forwarding many of those mail servers you will be using will be on one black list or another - however, for the domain I purchased all 4 servers were on the same blacklist, when I contacted Support about this observation, they kept me holding for 10 minutes and then never got back to me

Namescheap also have a fantastic WordPress integration called EasyWP - which is an absolute breeze to set up, very easy to manage, and you get a pretty little interface that tells you how your instance health is getting on.

Very impressed with how easy it was to set up and then link it to the domain, I had just recently purchased, but in a couple of days, it was online I went through a phase of receiving lots of HTTP 504 errors, which is obviously the lovely time out error, so my website was replaced with an undocumented bug 🐜 (which is actually quite a common occurrence if you read their forums)

Domain.com did not really excite me with their management features, and seem to offer very basic domain management, plus everything is in USD, which means depending on the bank you wish you may have to pay a conversion handling fee with your bank.

Uniregistry have unfortunately been purchased by GoDaddy - and I’m very sorry, but I am not having a registrar called GoDaddy - are you may decide that’s a fantastic idea, but no, absolutely not for me.

Gandi is good but there but there services are again basic and you get no enhanced security controls like you do with other providers, its also very basic from the management side, but you do get lots of management options like DNS, DNSSEC, mail forwarding, web forwarding - but with the website forwarding it can take 4 hours for the changes to apply consistently. 

Cloudflare, could it be ? 🦖

Cloudflare is an amazing DNS and security service, that now offers itself as a registrar which is fantastic , so lets let the domain working in a test domain on a test blogger first before we move the production domain, this is the test domain called "grizzybear.uk"

You also get some rather jazzy data points from the website, where you can monitor the "performance" of your website, this is an example:


Then you can also break the performance down into rather helpful charts if you are into that.....



You also get e-mail forwarding which is fantastic as you can see here:


Then you can specify custom addresses and have a rule to "drop" people not on that list, but the drop does not send an NDR, it accepts the message and drops the mail internally, you can see this below:



So this shows that I have got 6 e-mails of which 4 have been forwarded and then 2 have been dropped, the dropped ones were not on the list above as custom addresses.....


Any that is enough charts and analytics lets get the test domain moved, please remember this is the test domain grizzybear.uk once it is proved on this domain, we will commence on the live domain, so lets begin

Warning: Please remember you can break your website/domain if you do this wrong, this will break all the services provided by DNS which can include website, e-mail, SPF, DMARC, DKIM, BIMI - I can accept the responsibility for outages caused by following this blog!!!!!

Remember: Once you move your domain remember you cannot move it again for 60 days, choose wisely ⚔️ 

Lab 🧪 it out : Before moving your live and production domain, please test your theory and technical abilities with a test domain, please do not be the person that moves a live domain with no safety net or testing!!!!

Test Domain : Theory Proving

This will cover moving to Cloudflare and Gandi, obviously as you will see the Gandi approach is easier, and the Cloudflare approach is quite technical, but the choice is then your to make, as with many things secure and protected services are usually harder to setup!

Pre-Flight Checks ✈️ 

  1. Disable DNSSEC
  2. Wait for DNSSEC to be removed and unpublished (48 hours)
  3. Make no DNS changes on old NS servers (ideally)
  4. Unlock Domain
  5. If you are moving a co.uk domains then set IPS tag to new registrar
  6. If you are moving any other domain extension, obtain authorization code
  7. Initiate Transfer process - preserve current NS (if available)
  8. Transfer in process
  9. Transfer Complete

Cloudflare : Moving the Blog

Ultimately I did not move to Cloudflare due to using the Blogger platform, but its been left in to help other out from confusion!

Right so the domain is grizzybear.uk, so we need to create a new blogger account to test with, so for that login to blogger and then click the dropdown on your list of blogs and choose the "new blog"



Then give that a name:



Then you need to give it a BlogSpot name which will be the primary domain, this does not matter as it will not be used....



Once that is complete navigate to the Settings section.....



Then under Setting>Publishing find the custom domain and click it......


You will now need to enter the domain name, you will not be allowed to add the root domain (I hate the term naked domain)



This means this will require a www before the domain name like this, if your domain registrar is not "supported" you will be given the DNS records to create for this to work......here I have done this before so I do not get this option.....you need to lick save.



Then you should now see this in the Publishing section, the custom domain should be there and the "redirect domain" should be enabled to redirect the "root" domain as below:


Then you need to create the CNAME records, here you can see the CNAME records added as a "www" and a "vwd7upg2434a" record, notice they are proxied which means they use the full Cloudflare experience 



How you need to go back to the HTTPS section of the Blogger website and you will notice that the HTTPS is offline



You will need to enable this so it starts the pending process, like this:

This process can take up to 10 minutes to complete as it needs to do the certificate generation in the background, so give this some time.



If you try the visit the website during this time you will get this error, as the certificate has not been generated and Cloudflare cannot establish an SSL connection to the Blogger site, this means again you need to wait!




Right, here we got an error, as you can see below:


This is  because you CNAME records are "proxied" in Cloudflare, so in Cloudflare navigate to the DNS records section and find the two CNAME records and edit edit then turn off the proxied status so it is DNS only, as below:


Ensure you do this with both records as it will require both of the records to generate the certificate, here you can see both are DNS only now:



You may notice after updating the CNAME records to DNS only, that your website completely fails to load to now, this is temporary.


Then in Blogger under the HTTPS section, turn off the HTTP availability and turn it back again to force it to try again 



This is how the HTTPS section is blogger should look when it working as it should be and the certificate has been generated.


Right now you have a certificate, and the website will work when you visit it with the name in this example www.grizzybear.uk but not if you visit it as grizzybear.uk  - so you have half fixed it but lets check the DNS in Cloudflare...I seem to be missing the A records for the root domain, so lets add those in as below:



After you add the A records, this shows that all the blogger A and CNAME records are all proxied via Cloudflare which means the internet cannot lookup the native record, it needs to go via Cloudflare, this will give you maximum protection but will cause functionality issues


This means if you visit https://www.grizzybear.co.uk then you get the correct website as you can see here:


However if you visit the root domain https://grizzybear.uk you get this error about a handshake failure as you can see here:


This is down to the fact the Cloudflare is the proxy and it cannot handle the redirection as you are not using the internet records you are using the Cloudflare proxy records, which means you need to create a Page Rule to get this working as designed.

To add a Page Rule from the Cloudflare menu choose Rules>Page Rules


Then you need to add this rule, which essentially takes traffic on https://grizzybear.uk and forwards it to https://www.grizzybear.uk with a forwarding request using a 302 (as this will be permanent) this is shown below:


That will then show in the main rules section, ensure that the action is set to enable as below:


Then the moment you enable this rule, ka-ching you website is now online from the root domain as you can see here:


Excellent, so its all fixed, well no not quite, the HTTPS certificate for Blogger only last for 3 months at best, so if we get that certificate with nmap using this command:

nmap --script ssl-cert -p 443 www.grizzybear.uk


You get this, but there is an issue here, the issue is in bold below, but the certificate will only last until the 15th November 2023, on this date it will require a renew the renew process will fail so after 3 months you blogger site will have an expired certificate......

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=grizzybear.uk
| Subject Alternative Name: DNS:grizzybear.uk, DNS:*.grizzybear.uk
| Issuer: commonName=GTS CA 1P5/organizationName=Google Trust Services LLC/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-17T13:26:36
| Not valid after:  2023-11-15T13:26:35
| MD5:   af2d 19f9 6ecb 283f ffac e810 01bd f9cc
|_SHA-1: cccc f49a 80dd 50f5 1cd1 ecf3 2d56 57fa d362 779a

This is down the fact that the CNAME record is hidden behind the Cloudflare proxy as when you ask the domain for a CNAME record of vwd7upg2434a.grizzybear.uk, the one that the SSL renewal process needs to ask for you get only the NS (name server) returned, which means there is no record publically without using the proxied connection.

Remember: If you choose Cloudflare with Blogger you will need to remember to update the CNAME connections to DNS only every three months, failure to do this will mean your certificates will expire. 

nslookup -q=cname vwd7upg2434a.grizzybear.uk

grizzybear.uk
        primary name server = rick.ns.cloudflare.com
        responsible mail addr = dns.cloudflare.com
        serial  = 2318094893
        refresh = 10000 (2 hours 46 mins 40 secs)
        retry   = 2400 (40 mins)
        expire  = 604800 (7 days)
        default TTL = 1800 (30 mins)

Then if you query for the A record you get the IP for the Cloudflare proxy solution, this is not what the SSL updating process is expecting.

nslookup -q=a vwd7upg2434a.grizzybear.uk

Non-authoritative answer:
Name:    vwd7upg2434a.grizzybear.uk
Addresses:  172.67.218.218
          104.21.53.214

However if you go to the Cloudflare DNS and make that record DNS only not proxied as you can see below:


Now when you check the CNAME you will get the correct response from the DNS sever, this is shown below:

nslookup -q=cname vwd7upg2434a.grizzybear.uk

Non-authoritative answer:
vwd7upg2434a.grizzybear.uk      canonical name = gv-zjxx7grsfg4hsdsma.dv.googlehosted.com

This now means that the SSL certificate can update, but only with the non-proxied connection from Cloudflare, so the question I have is that for this to function you seem to have to have Cloudflare in DNS Only mode, which removes all the protection and point of using Cloudflare, so lets set all the records to DNS only and check back after replication.

Warning: Changing the records to DNS only, will invalidate your Page Rules, as they require a proxied connection to work correctly.


Right, so since removing the proxy, I can now see the public DNS records correctly:

nslookup -q=a grizzybear.uk

Non-authoritative answer:
Name:    grizzybear.uk
Addresses:  216.239.36.21
          216.239.32.21
          216.239.38.21
          216.239.34.21

This has bypassed Cloudflare, but what does that do to the website, well now we have bypassed Cloudflare the website works as expected, both the root domain and the full domain load spot on all the time, but why use Cloudflare only to bypass it.

This only covers the website here, and remember I am using Blogger, if you have static content or a website from WordPress then this will not be an issue, I find this is an issue as I am using Blogger, and while I like Blogger until its "sunset" by Google - that is my choice.

NOTE: I will not transfer to Cloudflare as my registrar while I am using Blogger as its been a bit of a journey to get it working, and its far to manual to keep everything working.

⚽️ Gandi : Moving the Blog

Right, now you have the preface from the Cloudflare move, I will now move another blog I have with more content than the one before with Gandi, first we need to set the custom domain, here we can see this is for www.diepiggydiedie.com which is another domain I have this time on Gandi:


Gandi however lets you view the BIND DNS records which is amazing, and it lets you create with the DNS commands as well, so here they are:


6u5owy4ctjhk 10800 IN CNAME gv-dmv6ocehd7e2yx.dv.googlehosted.com.
www 10800 IN CNAME ghs.google.com.

If you remember from before these are required for the automatic certificate updates, once created get the HTTPS availability enabled, however unlike the last time we are straight in this time.....

Now we need to add the A records which will take care of the root domain queries for Blogger which can be done with these commands for Gandi

@ 10800 IN A 216.239.32.21
@ 10800 IN A 216.239.34.21
@ 10800 IN A 216.239.36.21
@ 10800 IN A 216.239.38.21

Then while we are there, as Blogger is supported in IPv6 we can add the AAA records for IPv6 for the root domain queries:

@ 10800 IN AAAA 2001:4860:4802:32::15
@ 10800 IN AAAA 2001:4860:4802:34::15
@ 10800 IN AAAA 2001:4860:4802:36::15
@ 10800 IN AAAA 2001:4860:4802:38::15

Right, now we are all done, so lets visit the website on https://diepiggydiedie.com and https://www.diepiggypiepie.com and see if the site loads as it should, remember that https://dieppiggydiedie.com will be redirected to the WWW version, so if one works the other should work.....

That confirms it, both addresses work with minimal effort and all the automation is still valid, that looks good for the main site to me.

Gandi : email forwarding

This is simple for forwarding under the e-mail option you navigate to Forwarding address>Create a forwarding address:



Then you provide the e-mail you require and the address you want the e-mails sent to and then click create.....


I will need a couple of these for the production domain, but its that simple.

Gandi : DNS/DNSSEC

This is mega simple here, the NS (name servers) are all set in this instance, they are not the old NS records, but this is what it looks like



Then for DNSSEC this is already enabled and active - and I can confirm that I am using LiveDNS (which is the name for their DNS servers)


The main DNS panel if you do not want the advanced version looks like the Cloudflare one as you can see below:


Gandi : Web forwarding

This is something that Cloudflare could not do very well due to the technical nature of trying to get Cloudflare DNS and Google CDN working together, but with Gandi its a breeze, the redirection is for photos and restricted, the DNS commands to point them at the redirect service is this:

photos 10800 IN CNAME webredir.gandi.net.
restricted 10800 IN CNAME webredir.gandi.net.

Then Gandi will configure this in the background for me, you cannot as a customer configure the webredit.gandi.net services:


Gandi : DMARC

This has obviously been set, this is the record as per the management DNS commands, this tells me we are rejecting 100% of e-mails not passing the matching criteria.

_dmarc 10800 IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:lee@diepiggydiedie.com;ri=86400;aspf=r;adkim=r;fo=s"

Gandi : SPF

This is indeed set to include Gandi mail servers for the test:

@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"


However for the production domain it will look more like this:

@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net include:_spf.google.com ?all"


Gandi : TXT Records

The only records for the domain diepiggydiedie.com are the SPF and DMARC records and we can confirm all these records are active and valid.

Gandi : External Check

This is a pass as well, we only use DMARC and SPF and they are all green, finally as we use mailbox forwarding it is not this domain that will send e-mails so it does not require DKIM and I do not use BIMI.


Gandi : Lock Domain

This is the last thing I can think of with the test domain before the live move of the current domain, this I can confirm is locked to Gandi 

Post Flight Checks ✈️ 

All these are a pass for the diepiggydiedie.com domain as you can see below, and they are explained above:

  1. Lock domain
  2. Add website forwards (where applicable)
  3. Add mail forwards (where applicable)
  4. Add SPF
  5. Add DMARC
  6. Add DKIM
  7. Add TXT records (where applicable)
  8. Switch over NS servers
  9. Enable and Sign DNSSEC
a6n.co.uk : Move the Production Domain/Services

Right first thing, lets get the pre-flight check list from before:

Live : Pre-Flight Checks ✈️ 

  1. Disable DNSSEC
  2. Wait for DNSSEC to be removed and unsigned (48 hours)
  3. Make no DNS changes on old NS servers (ideally)
  4. Unlock Domain
  5. If you are moving a co.uk domains then set IPS tag to new registrar
  6. If you are moving any other domain extension, obtain authorization code
  7. Initiate Transfer process - preserve current NS (if available)
  8. Transfer in process
  9. Transfer Complete
Its always best to do this live with the move, so lets get started, this confirms that DNSSEC is disabled and unsigned, this has also been the case for 4 days, and no updates to the DNS records have been made since it was disabled. so we are all good there



The transfer had already been added as you can see here this is the live domain:


If you look at the information about that transfer you will see that the IPS tag has not been set to GANDI, which confirms the fact the domain is locked and cannot be moved.....


Domain is currently locked, however when we go to set the IPS tag it will ask you to unlock the domain, as you can see here:

Then I need to enter the new IPS tag into the Google Domain

You the get another option to stop the transfer:


WARNING: If you are using email forwarding with Google and are using the Google mails servers, once you click re-launch and the transfer completes, you will no longer be authorised to send e-mails to google mail server, when you e-mail that domain you will get the error below, therefore you may experience in a outage in e-mail delivery!

550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces.

Then we need to go back to Gandi and click the re-launch button to start the process again, now the IPS tag has been changed



This will then restart the transfer


However this time, you will go past the initialization and end up on the e-mail confirmation as you can see here:


Nest up is the transfer authority e-mail which look like this, you will need to authorise and validate as below:


This will then complete the transfer


Then you will see the domain in your new registrar as below:


Boom! You are done, you have now moved your domain from Google to Gandi (in my example) but the process will be the same of other registrar providers, now we are on to the last section, post live checks.

Live : Post-Flight Checks ✈️ 

  1. Switch NS servers
  2. Enable DNSSEC
  3. Lock Domain
  4. Import DNS Zone
Switch NS servers

This is done with the management portal interface, as I moved the domain with the old NS being used, I was set to external like this:


Therefore to move my NS to the correct location I needed to use the "Gandi LiveDNS" option and apply it as below:


Enable DNSSEC

This is very simple with my new registrar, from the domain name panel, you will notice DNSSEC disabled, so click the Inactive hyperlink:



Once here click the "Enable DNSSEC" button and hey presto, its active.


Lock Domain

I would always do this as it prevents other people from trying to transfer your domain from you, for me this is in the "transfer out section" and all you need to do is enable the "transfer lock" as below:


Import DNS zone

This one is simple, many domain providers require the export of the BIND file and as Gandi allow an advanced editor supporting BIND commands we can get right to this one, first the default values, these are all publically accessible as that is now DNS works, nothing sensitive or private in these records:

@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1692716358 10800 3600 604800 10800
@ 10800 IN A 217.70.184.55
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
_imap._tcp 10800 IN SRV 0 0 0 .
_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net.
_pop3._tcp 10800 IN SRV 0 0 0 .
_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net.
_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net.
gm1._domainkey 10800 IN CNAME gm1.gandimail.net.
gm2._domainkey 10800 IN CNAME gm2.gandimail.net.
gm3._domainkey 10800 IN CNAME gm3.gandimail.net.
webmail 10800 IN CNAME webmail.gandi.net.
www 10800 IN CNAME webredir.gandi.net.

Then I need the records to add from my old domain provider which are these, which will point the website at Blogger and then add the SPF and DMARC records:

@ 3600 IN A 216.239.32.21
@ 3600 IN A 216.239.34.21
@ 3600 IN A 216.239.36.21
@ 3600 IN A 216.239.38.21
@ 3600 IN AAAA 2001:4860:4802:32::15
@ 3600 IN AAAA 2001:4860:4802:34::15
@ 3600 IN AAAA 2001:4860:4802:36::15
@3600 IN AAAA 2001:4860:4802:38::15
_dmarc.a6n.co.uk. 3600 IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:5474d6ccb3@rua.easydmarc.us;ruf=mailto:5474d6ccb3@ruf.easydmarc.us;ri=86400;aspf=s;adkim=r;fo=s"
www.a6n.co.uk. 3600 IN CNAME www.a6n.co.uk.ghs.googlehosted.com.
@ 10800 IN TXT "v=spf1 include:_spf.google.com  include:_mailcust.gandi.net ~all"

You also have these records however they require the configuration of the redirect service as well and as they are they tell you nothing, its just a place to direct traffic for the redirector to take care of:

service 10800 IN CNAME webredir.gandi.net.
static 10800 IN CNAME webredir.gandi.net.
status 10800 IN CNAME webredir.gandi.net.

That then concludes this guide, if you would like assistance with this please click here

Previous Post Next Post

نموذج الاتصال